Trivy under attack again: Widespread GitHub Actions tag compromise secrets
TL;DR Highlight
75 of Trivy vulnerability scanner's official GitHub Action tags were replaced with malicious code via force-push, exposing 10,000+ CI/CD pipelines to credential theft of AWS/GCP/Azure secrets and SSH keys.
Who Should Read
DevOps and backend developers running CI/CD pipelines with GitHub Actions who use security scanners like Trivy. If your team references aquasecurity/trivy-action by version tag, check immediately.
Core Mechanics
- Attackers force-pushed 75 of 76 version tags in the aquasecurity/trivy-action repository to malicious commits. Commonly used tags like @0.34.2, @0.33.0, @0.18.0 were all affected — @0.35.0 is currently the only safe tag.
- The malicious payload runs in GitHub Actions runner environments, dumping runner process memory to extract secrets, collecting SSH keys, and exfiltrating AWS/GCP/Azure credentials and Kubernetes service account tokens.
- The attack's sophistication lies in force-pushing existing tags rather than creating new branches or releases. This method barely shows up in commit history and doesn't trigger notifications, making detection difficult.
- The root cause traces back to credentials stolen during the early March OpenVSX VS Code extension compromise. The Trivy team rotated secrets, but the rotation wasn't atomic — the attacker is believed to have maintained access to newly issued tokens.
- Over 10,000 workflow files reference this Action on GitHub, and the malicious code runs before the legitimate Trivy scan starts, making it hard for users to notice anything unusual.
- Additional damage was confirmed on Docker Hub. Malicious Trivy image tags 0.69.4, 0.69.5, 0.69.6 were discovered on March 22, and the latest tag also pointed to the malicious image during the exposure window.
- Socket's AI scanner detected this campaign in real-time starting March 20 at 19:15 UTC, generating 182 threat feed entries, all correctly classified as Backdoor/Infostealer/Reconnaissance malware.
- This is the second supply chain compromise in the Trivy ecosystem within the same month of March. Credentials stolen in the first breach were not fully neutralized and were reused in the second attack.
Evidence
- GitHub's official security guidelines recommend pinning Actions to full commit SHAs rather than version tags. This prompted suggestions that GitHub should enforce immutable version policies for Actions to prevent this class of attack entirely.
- Community questions arose about the specific failure in the credential rotation process. 'Given the second breach on March 22, it appears the attacker maintained access through two credential rotations.' With various GitHub token types (PAT, OAuth, GitHub App tokens), the exact type compromised remained unclear.
- Criticism of granting excessive permissions to security scanners emerged. One working developer said 'Security teams keep introducing new scanners demanding full codebase or cloud access — if I'd granted even 10% of those requests, we'd have been breached multiple times already,' warning about security tool supply chain risks.
- A developer apparently directly affected shared 'I'll probably spend the next few weeks writing dozens of reports and sitting through countless meetings,' expressing frustration that Trivy had been compromised twice.
- Practical advice like 'always run these tools in sandboxes to limit blast radius' was shared. Others noted this case should dispel the notion that only npm is targeted by supply chain attacks.
How to Apply
- If you reference aquasecurity/trivy-action by version tag (@0.34.2, etc.), review your workflow files immediately. Pin to a trusted commit's full SHA (e.g., uses: aquasecurity/trivy-action@commitSHA) instead — this protects against tag force-push replacements.
- If any workflow using aquasecurity/trivy-action ran after March 20, 19:15 UTC, immediately rotate all secrets used in that pipeline (AWS keys, GCP service accounts, Azure credentials, SSH keys, Kubernetes tokens). Beyond rotation, audit access logs for resources accessible with the old credentials.
- Minimize permissions granted to security scanners and third-party Actions in CI/CD pipelines. Restrict GITHUB_TOKEN permissions to read-only at the workflow level, and use OIDC (temporary token-based auth) for cloud credentials to limit the validity window of stolen credentials.
- Use tools like Socket, Dependabot, or Renovate to monitor GitHub Actions dependencies — they can detect tag replacements with malicious commits in real-time. Socket detected this attack live and classified it as Backdoor/Infostealer.
Code Example
snippet
# Vulnerable approach: version tag reference (can be replaced via force-push)
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.34.2 # ❌ Dangerous
# Safe approach: pinned to full commit SHA (immutable)
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@a20de5420d57c4102547773ee84a9575c8d547ea # ✅ Safe
# GitHub Actions minimum permission configuration example
permissions:
contents: read # Grant minimum permissions only
security-events: write # Only if needed for Trivy SARIF upload
# Temporary AWS credentials via OIDC (minimizes damage if compromised)
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@commitSHA
with:
role-to-assume: arn:aws:iam::ACCOUNT:role/ROLE
aws-region: ap-northeast-2
# Do not hardcode access-key-id/secret-access-keyTerminology
force-pushForcibly overwriting a remote repository's history in Git. Normal pushes add new commits, but force-push replaces existing history entirely, enabling stealthy tag replacement.
Supply Chain AttackAttacking the tools/libraries/services you trust and use rather than attacking your code directly. Poisoning the supply chain to target end users.
InfostealerA type of malware that silently collects sensitive information (passwords, API keys, cookies, SSH keys) from infected environments and transmits them to attacker servers.
Atomic rotationWhen multiple steps of an operation either all succeed or all fail as one unit. If credential rotation isn't atomic, partially rotated states create windows for attackers to intercept new credentials.
OIDC (OpenID Connect)A method of accessing cloud services (AWS, GCP, etc.) using temporary tokens instead of long-lived API keys. Even if tokens are stolen, their short validity window limits damage.
blast radiusThe scope affected by a security incident or system failure. Like an explosion radius, minimizing this is a core goal of security design.
Related Papers
What happened after 2k people tried to hack my AI assistant
실제로 6,000개 이상의 이메일로 AI 에이전트에 prompt injection 공격을 시도한 공개 실험 결과로, Claude Opus 4.6이 비밀 파일 유출을 한 번도 허용하지 않았지만 실험 설계의 현실성에 대한 논란이 뜨거웠다.
When Does Combining Language Models Help? A Co-Failure Ceiling on Routing, Voting, and Mixture-of-Agents Across 67 Frontier Models
여러 LLM을 조합해도 '모든 모델이 동시에 틀리는 비율(β)'이 성능 상한선이며, 업계가 쓰는 pairwise 상관계수(ρ)는 이 상한선을 예측하지 못한다.
Beyond Function Calling: Benchmarking Tool-Using Agents under Tool-Environment Unreliability
실제 환경처럼 API가 망가지거나 결과가 이상할 때 LLM 에이전트가 얼마나 잘 버티는지 측정하는 벤치마크 ToolBench-X 공개.
Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs
6,038개의 LG·Samsung 스마트 TV 앱을 스캔했더니 2,058개에서 사용자의 IP를 몰래 팔아 트래픽을 중계하는 Residential Proxy SDK가 발견됐다. TV는 컴퓨터처럼 감시받지 않아서 프록시 호스트로 거의 이상적인 환경이다.
Prompt Injection as Role Confusion
LLM이 시스템 프롬프트, 사용자 입력, 툴 출력을 구분하지 못하는 구조적 결함이 prompt injection의 근본 원인이라는 ICML 2026 논문으로, 현재 LLM 보안 아키텍처의 한계를 명확히 분석한다.
GPT-5.5 hallucinates 3x more than MIT-licensed GLM-5.2
모델 크기가 커질수록 성능이 좋아진다는 통념에 반해, 오픈소스 753B 모델 GLM-5.2가 추정 1~2T 규모의 GPT-5.5보다 환각 비율이 3배 낮다는 벤치마크 결과가 나왔다. 단순히 파라미터 수와 벤치마크 점수만으로 모델을 선택하면 실제 업무에서 낭패를 볼 수 있다는 경고다.